PayPal password validation

I found I was still using an old shared password on my PayPal account and decided that was a bad thing. So I used KeePass to generate a new password. Normally I use a 128-bit hex key, it's not like I ever have to type it so there's no reason to avoid ridiculous passwords.

PayPal won't accept it. The only validation error I get is "Password must be at least 8 characters long." Come on now, I just tried a 32-character password and you can't even give me a meaningful validation error!

I can't even figure out their rules. I added uppercase letters, no dice. Added special symbols, no dice. Dropped it to 16 characters in length, no dice. WTF.

My bad. I was looking at the wrong entry. The one for PayPal is upper, lower, digits, special and brackets. Quality = 118 bits; not quite full, but definitely well into the green. Oddly, the first one was 128 bits without including brackets. Yay randomness.

Mine's 20 characters of mixed lowercase, uppercase, numeric and special, but without - or _ or whitespace. If I recall correctly it was the whitespace that PayPal wouldn't allow.

For the few passwords it's not convenient to store in KeePass, I prefer to use passwords that look like nwwcy.ewwou.ffwtw.hndod.zxams - 25 random lowercase letters is 117 bits of entropy which is plenty, they reliably survive being handwritten, and they're surprisingly easy to type on a soft keyboard (except, of course, the iPhone one which inexplicably pushes . onto a shift page).

I used to use spaces instead of dots, but got burned once too often by a cheap wireless router. Amazing the number of those things that run shitty internal wpasupplicant scripts that break when you put a space in the WPA2 key.

It also pisses me off that Apple won't let me use an Apple Account password in this format and yet has no problem with "Apple123".

I finally got something to work but I didn't pay attention to what I had to do. I know KeePass changed my "password safety bar" from full to like 1/3rd in the process.

Password policies are a joke. We use a mail campaign manager called Campaign Commander. Honest to god it's more secure than my bank account. The passwords expire every time I log in, the password rules are insane so I have to keep a record of my passwords, and they email you an access key that you need every time you try to log in.

I changed my ebay password at the same time. The only WTF there was they disabled pasting from the clipboard into the password fields, which took me all of 6.2 seconds to undo using Firefox's built-in developer tools so I could paste in from KeePass. No way I'm typing out a 32-character hex string by hand!

TRWTF with PayPal passwords is that either they or their parent company (eBay) will not allow you to ever reuse a password. I think the majority of password policies are fucking retarded, but theirs takes the cake. I tend to rotate my passwords, but they require a unique one every fucking time.

...which would of course be no problem at all if they just made it easy to use KeePass or something like it rather than requiring users to screw with its default password generation rules.

Most of what passes for "security" in 2014, it seems to me, consists of workarounds for the fact that people don't use password management software and do use shitty human-generated, human-memorable secrets and share them across multiple services. I proselytize KeePass to my customers, and most of them like it once they understand what it does and why they should care, but it's slow going.

My dad insists on using a different password for each account. Which would be great except that his idea of a secure password is a family member's first name followed by one of three or four four digit numbers.

And nor should he have to. He should be using password management software to do that, because that's actually secure in ways that human brains are ill adapted to match. You need to sit your dad down and show him KeePass until he actually Gets It.

Of course this means that I should keep it written down / stored somewhere, because every time I forget it and request a new one it gets just more and more frustrating.

Very secure.

Oh, and the brackets etc problem? It seems to be fashionable to not do anything to the text fields but throw more or less accurate error messages. I vaguely recall having seen html-forms where you could enter a phone number as 111-222 333 or even +111-222-333 444 .. now you just get an error message complaining about illegal characters. The silliest site required the standardized phone numbers for "mobile" field, but rejected the same format on the "phone" field. I hope they don't ever try to actually call me from abroad.